“There are major oversights it doesn’t address”
The government is mulling plans to introduce a mandatory IoT security labelling scheme – although it is suggesting voluntary implementation to start with – as it launched a five-week consultation that closes June 5.
The consultation, which opened today, proposes three security requirements: that IoT devices passwords be unique and unable to be reset to factory defaults; that all IoT manufacturers provide a public point of contact for vulnerability disclosures; and that they are explicit about the length of security update provision.
NCSC Technical Director Dr Ian Levy said: “Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it’s unacceptable that these are not being fixed by manufacturers. This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes.”
IoT Security Labelling Consultation Follows Code of Practice Launch
The consultation follows the government’s voluntary “Secure by Design” Code of Practice for consumer IoT security launched last year. The Code advocates stronger cyber security measures be built into smart products right from the design stage, and has been backed by Centrica Hive, HP Inc Geo and more recently Panasonic.
The proposals come a day after Margot James held a roundtable on IoT security with global technology companies. Amazon, Philips, Panasonic, Samsung, Miele, Yale and Legrand all “affirmed their commitment to taking steps to ensure that effective security solutions are being implemented across IoT products on the market”, she said.
The consultation has been published alongside a consumer survey report which tested various label designs with 6,482 UK consumers as part of helping to create a labelling scheme that was backed by evidence, and comes as ETSI, the European Standards Organisation, in February launched Technical Specification 103 645, the first globally-applicable industry standard on the cybersecurity of consumer Iot devices.
Security Industry Responds: Yes, But…
David Emm, principal security researcher at Kaspersky Lab UK, said: “We welcome the proposal to require companies marketing smart devices to comply with minimum security standards… baby monitors and televisions, have been available to buy for some years now, [that remain] vulnerable to cyber-attacks due to the failure of many companies to build in security at the design stage when developing smart devices.
“Having an industry standard requirement, that all connected products must adhere to, would make all items available to purchase much safer.”
Others struck a more cautious note: Sonatype’s Global Director of Solutions Architecture, Ilkka Turunen, said: “While the news of proposed IoT security legislation is definitely a big step in the right direction, there are major oversights it doesn’t address. When 1 in 8 software components downloaded by developers in the UK contain a known security vulnerability, increasing the occurrence of supply chain infiltration attacks, it’s not enough to just offer a point of contact to whom vulnerabilities are disclosed, or set an amount of time for providing updates.”
“Manufacturers, businesses and governments need to work together to ensure these components aren’t in their products to begin with, and should find a way of certifying the software supply chain – like a list of ingredients used to build the product.”
“The tools are available to enable manufacturers to build security into their applications right from the start, meaning failure to do so should amount to gross negligence. No other manufacturing industry is permitted to ship known vulnerable or defective parts in their products, so why should the software components in connected devices be any different? Instead, manufacturers should be able to certify that their software, and their devices, are secure at the time of shipping, and should ensure their security updates last for the mandated time.”
“The legislation will put further pressure on device manufacturers to act. However, it shouldn’t take government intervention for businesses to take responsibility and practice proper software hygiene This will help introduce much-needed supervision t over what has been a bit of a wild west so far.”